New Macintosh Viruses Discovered (CODE-1 & MBDF-B) 4 Nov 1993 Virus: CODE-1 Damage: Alters applications and system file; may rename hard disk; may crash system or damage some files. See below. Spread: possibly limited, but has potential to spread quickly Systems affected: All Apple Macintosh computers, under Systems 6 & 7. Several sites have reported instances of a new Macintosh virus on their systems. This virus spreads to application programs and the system file. Its only explicit action, other than spreading, is to rename the hard disk to "Trent Saburo" if the system is restarted on October 31 of any year. However, the virus changes several internal code pointers that may be set by various extensions and updates. This may lead to system failures, failures of applications to run correctly, and other problems. Under some conditions the virus may cause the system to crash. The virus detected by some virus protection programs on some Macintosh machines (but no anti-virus program released prior to this date specifically recognizes this virus). This behavior depends on the nature of the hardware and software configuration of the infected machine. All current anti-virus programs should be updated to the versions listed below to ensure that the virus can be found. Virus: MBDF-B Damage: minimal, but see below Spread: probably limited Systems affected: Apple Macintosh computers. The virus spreads on all types of Macs except MacPlus systems and (perhaps) SE systems; it may be present on MacPlus and SE systems and not spread, however. A new variant of the MBDF-A virus has recently been discovered. It seems that a person or persons unknown has modified the original MBDF-A virus slightly and released it. Like the original, this virus does not intentionally cause damage, but it may spread widely. The virus does not necessarily exhibit any symptoms on infected systems. Some abnormal behavior has been reported in machines infected with MBDF-A, involving system crashes and malfunctions in various programs, which may possibly be traced to the virus. Some specific symptoms include: * Infected Claris applications will indicate that they have been altered * The "BeHierarchic" shareware program ceases to work correctly. * Some programs will crash if something in the menu bar is selected with the mouse. The MBDF-B virus should behave similarly and will spread under both System 6 and System 7. Some Mac anti-virus tools will detect this virus. However, all anti-virus tools should be updated so as to properly identify and remove this virus from infected systems. The authors of all major Macintosh anti-virus tools are planning updates to their tools to locate and/or eliminate these viruses. Some of these are listed below. We recommend that you obtain and use a CURRENT version of AT LEAST ONE of these programs. Some specific information on updated Mac anti-virus products follows: Tool: Central Point Anti-Virus Status: Commercial software Revision to be released: 3.0a Where to find: Central Point BBS, (503) 690-6650 When available: November 5, 1993 Comments: Registered users will receive postcards. Also, users can download the file 'Mac CPAV Antidotes 11/5/93' from the usual places to receive the update. Tool: Disinfectant Status: Free software (courtesy of Northwestern University and John Norstad) Revision to be released: 3.3 When available: November 5, 1993 Where to find: usual archive sites and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac Tool: Gatekeeper Status: Free software (courtesy of Chris Johnson) Revision to be released: 1.2.9 When available: November 8, 1993 Where to find: usual archive sites and bulletin boards -- microlib.cc.utexas.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac Comments: 1.2.8 is already effective against MBDF-B. Gatekeeper Aid will identify it as an "Unknown Strain" of MBDF, but will remove it without difficulty. Tool: Rival Status: Commercial software Revision to be released: CODE-1 Vaccine When available: Immediately. Where to find: AppleLink, America Online, Calvacom, Compuserve, Internet XELPH's Customer Service @ 415/327-9563 When available: immediately Comments: The vaccine will be e-mailed to all registered users. Comments: The existing Rival MBDF Vaccine already detects/removes MBDF-B. Tool: SAM (Virus Clinic and Intercept) Status: Commercial software Revision to be released: 3.5.9 When available: November 5, 1993 Where to find: CompuServe, America Online, Applelink, Symantec's Customer Service @ 800-441-7234 Comments: Updates to various versions of SAM to detect and remove CODE-1 and MBDF-B are available from the above sources. Tool: Virex Status: Commercial software Revision to be released: 4.1 Where to find: Datawatch Corporation, (919) 549-0711 When available: November 5, 1993 Comments: Datawatch's BBS number is (919) 549-0042 Comments: Virex currently detects and repairs the MBDF-B virus but identifies it as the MBDF-A virus. Comments: UDV for CODE-1 virus; Guide Number = 13656448 1: 020A 30FA 7D90 7610 / 8C 2: 00A9 C60C AF00 0A00 / F1 3: 3EA0 0B4E 7581 8090 / 59 Tool: VirusDetective Status: Shareware Revision to be released: 5.0.10 When available: immediately Where to find: various Mac archives Comments: VirusDetective is shareware. Search strings for the CODE-1 virus will be sent only to registered users via e-mail. Registered users without e-mail access should contact the author for the search string. The MBDF-B virus is already detected by the MBDF-A search string. If you discover what you believe to be a virus on your Macintosh system, please report it to the vendor/author of your anti-virus software package for analysis. Such reports make early, informed warnings like this one possible for the rest of the Mac community. If you are otherwise unsure of who to contact, you may send e-mail to spaf@cs.purdue.edu as an initial point of contact. Also, be aware that writing and releasing computer viruses is more than a rude and damaging act of vandalism -- it is also a violation of many state and Federal laws in the US, and illegal in several other countries. If you have *ANY* information concerning the author(s) of these or any other computer virus, please contact any of the anti-virus providers listed above. Several Mac virus authors have been apprehended thanks to the efforts of the Mac user community, and some have received criminal convictions for their actions. This is yet one more way to help protect your computers.